feta: improve variables

.github/workflows/lint.yaml

@@ -1,5 +1,5 @@
 name: Lint
-on: [push, pull_request]
+on: [pull_request]
 
 jobs:
   tflint:

README.md

@@ -16,16 +16,18 @@ A non-official Linkerd2 Terraform Module
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_time"></a> [time](#requirement\_time) | 0.11.1 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.13.2 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.30.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.11.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_helm"></a> [helm](#provider\_helm) | n/a |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | n/a |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.13.2 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.30.0 |
 | <a name="provider_time"></a> [time](#provider\_time) | 0.11.1 |
-| <a name="provider_tls"></a> [tls](#provider\_tls) | n/a |
+| <a name="provider_tls"></a> [tls](#provider\_tls) | 4.0.5 |
 
 ## Modules
 
@@ -52,9 +54,9 @@ No modules.
 | [kubernetes_secret.linkerd_root_ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
 | [kubernetes_secret.linkerd_viz_root_ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
 | [kubernetes_secret.linkerd_webhook_root_ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
-| [time_sleep.wait_control_plane_certificate_provisioning](https://registry.terraform.io/providers/hashicorp/time/0.11.1/docs/resources/sleep) | resource |
-| [time_sleep.wait_viz_certificate_provisioning](https://registry.terraform.io/providers/hashicorp/time/0.11.1/docs/resources/sleep) | resource |
-| [time_sleep.wait_webhook_certificate_provisioning](https://registry.terraform.io/providers/hashicorp/time/0.11.1/docs/resources/sleep) | resource |
+| [time_sleep.wait_control_plane_certificate_provisioning](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [time_sleep.wait_viz_certificate_provisioning](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [time_sleep.wait_webhook_certificate_provisioning](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [tls_private_key.linkerd_private_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
 | [tls_private_key.linkerd_viz_private_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
 | [tls_private_key.linkerd_webhook_private_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
@@ -72,13 +74,22 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_control_plane_ca_validity"></a> [control\_plane\_ca\_validity](#input\_control\_plane\_ca\_validity) | Control plane Issuer CA validity in hours eg: 175200 for 20 years | `string` | `"175200"` | no |
+| <a name="input_control_plane_cert_duration"></a> [control\_plane\_cert\_duration](#input\_control\_plane\_cert\_duration) | Control plane TLS cert duration eg: 24h0m0s | `string` | `"72h0m0s"` | no |
+| <a name="input_control_plane_cert_renew_before"></a> [control\_plane\_cert\_renew\_before](#input\_control\_plane\_cert\_renew\_before) | Control plane TLS cert renew before eg: 1h0m0s | `string` | `"24h0m0s"` | no |
 | <a name="input_control_plane_helm_version"></a> [control\_plane\_helm\_version](#input\_control\_plane\_helm\_version) | Control plane helm version | `string` | `"1.16.11"` | no |
 | <a name="input_control_plane_namespace"></a> [control\_plane\_namespace](#input\_control\_plane\_namespace) | Control plane namespace | `string` | `"linkerd"` | no |
 | <a name="input_crds_helm_vesion"></a> [crds\_helm\_vesion](#input\_crds\_helm\_vesion) | Crds helm version | `string` | `"1.8.0"` | no |
-| <a name="input_kubernetes"></a> [kubernetes](#input\_kubernetes) | n/a | <pre>object({<br>    host : string,<br>    cluster_ca_certificate : string,<br>    token : string,<br>  })</pre> | n/a | yes |
+| <a name="input_kubernetes"></a> [kubernetes](#input\_kubernetes) | Kubernetes connection configuration | <pre>object({<br>    host : string,<br>    cluster_ca_certificate : string,<br>    token : string,<br>  })</pre> | n/a | yes |
 | <a name="input_linkerd_repository"></a> [linkerd\_repository](#input\_linkerd\_repository) | stable \| edge \| enterprise | `string` | `"stable"` | no |
+| <a name="input_viz_ca_validity"></a> [viz\_ca\_validity](#input\_viz\_ca\_validity) | Viz Issuer CA validity in hours eg: 175200 for 20 years | `string` | `"175200"` | no |
+| <a name="input_viz_cert_duration"></a> [viz\_cert\_duration](#input\_viz\_cert\_duration) | Viz TLS cert duration eg: 24h0m0s | `string` | `"48h0m0s"` | no |
+| <a name="input_viz_cert_renew_before"></a> [viz\_cert\_renew\_before](#input\_viz\_cert\_renew\_before) | Viz TLS cert renew before eg: 1h0m0s | `string` | `"24h0m0s"` | no |
 | <a name="input_viz_helm_version"></a> [viz\_helm\_version](#input\_viz\_helm\_version) | Viz helm version | `string` | `"30.12.11"` | no |
 | <a name="input_viz_namespace"></a> [viz\_namespace](#input\_viz\_namespace) | Viz namespace | `string` | `"linkerd-viz"` | no |
+| <a name="input_webhook_ca_validity"></a> [webhook\_ca\_validity](#input\_webhook\_ca\_validity) | Webhook Issuer CA validity in hours eg: 175200 for 20 years | `string` | `"175200"` | no |
+| <a name="input_webhook_cert_duration"></a> [webhook\_cert\_duration](#input\_webhook\_cert\_duration) | Webhook TLS cert duration eg: 24h0m0s | `string` | `"48h0m0s"` | no |
+| <a name="input_webhook_cert_renew_before"></a> [webhook\_cert\_renew\_before](#input\_webhook\_cert\_renew\_before) | Webhook TLS cert renew before eg: 1h0m0s | `string` | `"24h0m0s"` | no |
 
 ## Outputs
 

main.tf

@@ -79,7 +79,7 @@ resource "helm_release" "linkerd_control_plane" {
 
   set {
     name  = "cniEnabled"
-    value = "true"
+    value = "false"
   }
 
   set {

providers.tf

@@ -1,14 +1,16 @@
 terraform {
   required_providers {
     kubernetes = {
-      source = "hashicorp/kubernetes"
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.30.0"
     }
     helm = {
-      source = "hashicorp/helm"
+      source  = "hashicorp/helm"
+      version = ">= 2.13.2"
     }
     time = {
       source  = "hashicorp/time"
-      version = "0.11.1"
+      version = ">= 0.11.1"
     }
   }
 }

tls-control-plane.tf

@@ -7,7 +7,7 @@ resource "tls_self_signed_cert" "linkerd_root_ca" {
   private_key_pem       = tls_private_key.linkerd_private_key.private_key_pem
   is_ca_certificate     = true
   set_subject_key_id    = true
-  validity_period_hours = 175200 # 20 years
+  validity_period_hours = var.control_plane_ca_validity
   dns_names             = ["root.linkerd.cluster.local"]
 
   subject {
@@ -62,8 +62,8 @@ resource "kubernetes_manifest" "linkerd_identity_issuer_certificate" {
     }
     "spec" = {
       "secretName"  = "linkerd-identity-issuer"
-      "duration"    = "48h0m0s"
-      "renewBefore" = "6h0m0s"
+      "duration"    = "${var.control_plane_cert_duration}"
+      "renewBefore" = "${var.control_plane_cert_renew_before}"
       "issuerRef" = {
         "name" = "linkerd-trust-anchor"
         "kind" = "Issuer"

tls-viz.tf

@@ -7,7 +7,7 @@ resource "tls_self_signed_cert" "linkerd_viz_root_ca" {
   private_key_pem       = tls_private_key.linkerd_viz_private_key.private_key_pem
   is_ca_certificate     = true
   set_subject_key_id    = true
-  validity_period_hours = 175200 # 20 years
+  validity_period_hours = var.viz_ca_validity
   dns_names             = ["webhook.linkerd.cluster.local"]
 
   subject {
@@ -62,8 +62,8 @@ resource "kubernetes_manifest" "linkerd_viz_certificate" {
     }
     "spec" = {
       "secretName"  = "tap-k8s-tls"
-      "duration"    = "24h0m0s"
-      "renewBefore" = "1h0m0s"
+      "duration"    = "${var.viz_cert_duration}"
+      "renewBefore" = "${var.viz_cert_renew_before}"
       "issuerRef" = {
         "name" = "webhook-issuer"
         "kind" = "Issuer"
@@ -97,8 +97,8 @@ resource "kubernetes_manifest" "linkerd_tap_injector_certificate" {
     }
     "spec" = {
       "secretName"  = "tap-injector-k8s-tls"
-      "duration"    = "24h0m0s"
-      "renewBefore" = "1h0m0s"
+      "duration"    = "${var.viz_cert_duration}"
+      "renewBefore" = "${var.viz_cert_renew_before}"
       "issuerRef" = {
         "name" = "webhook-issuer"
         "kind" = "Issuer"

tls-webhook.tf

@@ -7,7 +7,7 @@ resource "tls_self_signed_cert" "linkerd_webhook_root_ca" {
   private_key_pem       = tls_private_key.linkerd_private_key.private_key_pem
   is_ca_certificate     = true
   set_subject_key_id    = true
-  validity_period_hours = 175200 # 20 years
+  validity_period_hours = var.webhook_ca_validity
   dns_names             = ["webhook.linkerd.cluster.local"]
 
   subject {
@@ -62,8 +62,8 @@ resource "kubernetes_manifest" "linkerd_policy_validator_certificate" {
     }
     "spec" = {
       "secretName"  = "linkerd-policy-validator-k8s-tls"
-      "duration"    = "24h0m0s"
-      "renewBefore" = "1h0m0s"
+      "duration"    = "${var.webhook_cert_duration}"
+      "renewBefore" = "${var.webhook_cert_renew_before}"
       "issuerRef" = {
         "name" = "webhook-issuer"
         "kind" = "Issuer"
@@ -98,8 +98,8 @@ resource "kubernetes_manifest" "linkerd_proxy_injector_certificate" {
     }
     "spec" = {
       "secretName"  = "linkerd-proxy-injector-k8s-tls"
-      "duration"    = "24h0m0s"
-      "renewBefore" = "1h0m0s"
+      "duration"    = "${var.webhook_cert_duration}"
+      "renewBefore" = "${var.webhook_cert_renew_before}"
       "issuerRef" = {
         "name" = "webhook-issuer"
         "kind" = "Issuer"
@@ -133,8 +133,8 @@ resource "kubernetes_manifest" "linkerd_sp_validator_certificate" {
     }
     "spec" = {
       "secretName"  = "linkerd-sp-validator-k8s-tls"
-      "duration"    = "24h0m0s"
-      "renewBefore" = "1h0m0s"
+      "duration"    = "${var.webhook_cert_duration}"
+      "renewBefore" = "${var.webhook_cert_renew_before}"
       "issuerRef" = {
         "name" = "webhook-issuer"
         "kind" = "Issuer"

variables.tf

@@ -1,4 +1,5 @@
 variable "kubernetes" {
+  description = "Kubernetes connection configuration"
   type = object({
     host : string,
     cluster_ca_certificate : string,
@@ -23,6 +24,41 @@ variable "control_plane_namespace" {
   default     = "linkerd"
 }
 
+variable "control_plane_ca_validity" {
+  description = "Control plane Issuer CA validity in hours eg: 175200 for 20 years"
+  type        = string
+  default     = "175200"
+}
+
+variable "control_plane_cert_duration" {
+  description = "Control plane TLS cert duration eg: 24h0m0s"
+  type        = string
+  default     = "72h0m0s"
+}
+
+variable "control_plane_cert_renew_before" {
+  description = "Control plane TLS cert renew before eg: 1h0m0s"
+  type        = string
+  default     = "24h0m0s"
+}
+
+variable "webhook_ca_validity" {
+  description = "Webhook Issuer CA validity in hours eg: 175200 for 20 years"
+  type        = string
+  default     = "175200"
+}
+
+variable "webhook_cert_duration" {
+  description = "Webhook TLS cert duration eg: 24h0m0s"
+  type        = string
+  default     = "48h0m0s"
+}
+
+variable "webhook_cert_renew_before" {
+  description = "Webhook TLS cert renew before eg: 1h0m0s"
+  type        = string
+  default     = "24h0m0s"
+}
 variable "viz_helm_version" {
   description = "Viz helm version"
   type        = string
@@ -35,6 +71,24 @@ variable "viz_namespace" {
   default     = "linkerd-viz"
 }
 
+variable "viz_ca_validity" {
+  description = "Viz Issuer CA validity in hours eg: 175200 for 20 years"
+  type        = string
+  default     = "175200"
+}
+
+variable "viz_cert_duration" {
+  description = "Viz TLS cert duration eg: 24h0m0s"
+  type        = string
+  default     = "48h0m0s"
+}
+
+variable "viz_cert_renew_before" {
+  description = "Viz TLS cert renew before eg: 1h0m0s"
+  type        = string
+  default     = "24h0m0s"
+}
+
 variable "crds_helm_vesion" {
   description = "Crds helm version"
   type        = string